How we can manage roles and permissions using fast-API dynamically?

[ghost]

First Check

• I added a very descriptive title to this issue.
• I used the GitHub search to find a similar issue and didn't find it.
• I searched the FastAPI documentation, with the integrated search.
• I already searched in Google "How to X in FastAPI" and didn't find any information.
• I already read and followed all the tutorial in the docs and didn't find an answer.
• I already checked if it is not related to FastAPI but to Pydantic.
• I already checked if it is not related to FastAPI but to Swagger UI.
• I already checked if it is not related to FastAPI but to ReDoc.

Commit to Help

• I commit to help with one of those options 👆

Example Code

class RoleChecker:
    def __init__(self, allowed_roles: List):
        self.allowed_roles = allowed_roles #utils.get_roles(Role)

    def __call__(self, user: User = Depends(oauth2.require_user)):
        print("user=======>", user)
        if user['role'] not in self.allowed_roles:
            logger.debug(f"User with role {user['role']} not in {self.allowed_roles}")
            raise HTTPException(status_code=403, detail="You have not a permission to performe action.")
        


allow_create_resource = RoleChecker(["admin"])
@router.post('/assign_roles', dependencies=[Depends(allow_create_resource)])
def assign_roles(assign_role: schemas.AssignRole ,user_id: str = Depends(oauth2.require_user)):
    
    roles = utils.get_roles(Role)
    
    
    email = assign_role.dict()['email']
    desired_role = assign_role.dict()['role']
    
    count = User.count_documents({"email": str(email)})
    
    role_count = Role.count_documents({"role": str(desired_role)})
    
    if count == 0:
        raise HTTPException(status_code = status.HTTP_404_NOT_FOUND, detail=f"User for email {email} does not exist")
    
    if role_count == 0:
        raise HTTPException(status_code = status.HTTP_404_NOT_FOUND, detail=f"please used only given roles => {','.join(role if role != 'admin' else '' for role in roles)} ")
    
    res = userResponseEntity(User.find_one({"email": str(email)}))
    
    user_id = user_id["id"]
    
    user = userResponseEntity(User.find_one(ObjectId(str(user_id))))
    
    if user['role'] != res['role']:
        dict = assign_role.dict(exclude_none=True)
        User.update_one(
            {'_id': ObjectId(str(res['id']))}, {'$set': dict})

        return {
            "message": f"user email {email} role {res['role']} updated to {desired_role}",
            "loged_in_user": user
        }
    
    return {
        "user": user
    }

Description

I research a lot but not find any good way to manage roles and permission dynamically using FastApi. if you guys have any idea please let me know.Thanks in advance

Operating System

Linux

Operating System Details

No response

FastAPI Version

0.87.0

Python Version

3.10.8

Additional Context

No response

[pythonweb2]

Can you please clarify what is wrong with the code snippet and what you are trying to accomplish, as well as what you mean by managing roles and permissions dynamically?

There is a section in the documentation about using oauth2.0 scopes (https://fastapi.tiangolo.com/advanced/security/oauth2-scopes) which is a way to manage permissions. As mentioned in the docs, you will want to have some way to persist the permissions for each user (using a database of some sort or using a predefined list of permissions).

You can also create a custom dependency to check permissions each time the user makes a request to your endpoints, which may be necessary if you need the ability to immediately revoke permissions for a user without invalidating their JWT.

[ghost]

@waderoberts123 I need Roles and permission for proper articles for good understanding. From the docs I cannot understand how we can work on that case. For example, users have 500 Roles and every role against different permissions so how do we handle dynamically without specifying specific roles e.g i use static roles and check if users have this role 'admin' or not. So I need the proper way of managing roles and permissions. For example, one user has posts.
we create 2 roles specify something for those roles if we add one role or more or edit existing role then our function not work fine because we change the role name but user have same role in user model role field so i need proper way for managing Role management and permission managements on the base of User.
I try one way is

create a table name Role
which have
user_id and role_name

and create another table name Permissions which have

role_id and different permissions
can_create: bool = False can_edit: bool = False can_add: bool = False can_update: bool = False can_delete: bool = False can_view: bool = False
so i want to manage all roles and permissions accordingly if you have any proper example please let me know because i already try no one example on google fit according to my needs.

[tacan]

Hi Syed,
I think this is not (and should not be) a concern of the FastAPI framework. You should look into RBAC and ABAC, authorization models, enterprise design patterns, etc. There are whole libraries whose only concern is this one topic. I. suggest you take a look at OSO or Cerbos if you want a python based library. There is also Casbin and many others that have a python interface. I hope this helps.

[ghost]

@tacan these libraries we can use with fastAPI?

[tacan]

Yes, of course. You just have to install them via pip (or any other tool you use) and then import and implement the access control logic in your path functions. Better yet, you can create helper functions or classes in external modules and just use them in your path functions.

[ghost]

@tacan please share with me any library link you recommend who fix my problem.

[yinziyan1206]

I use request.auth.scopes to check permissions and it is used in Starlette by @requires([any_scopes]). And you can create a dependency to authorize it

[hsluoyz]

@SyedKashifNaqvi PyCasbin (https://github.com/casbin/pycasbin) is a pure Python implementation for all RBAC and ABAC authorization (instead of just a client library that talks to an auth server via HTTP). It also provides a fastapi middleware: https://github.com/pycasbin/fastapi-authz for people to get started quickly. Maybe documentation can be added to let more people know.

[TheJumpyWizard]

@hsluoyz I hadn't seen fastapi-authz until now! Looks very useful/simple thanks for sharing

[EtceterisCDev]

Thanks a lot for sharing these information.

I will study this package in depth.
It could save us a lot of time.

[EtceterisCDev]

Just an update.

We implement a FastAPI / Casbin solution and we are very happy with that.

We use the facilities provided by FastAPI and we define some conventions on the tags associated to each route.
We overload the standard documentation tools in order to filter our internal purpose tags,in order not to expose these extra informations.

And we have a user management with FastAPI that link that with Casbin and the tags.

If needed, don't hesitate to ask questions.

[RetardRento]

Hey @EtceterisCDev Im in the same problem now, as my company needs a RBAC solution that can have dynamic role's like or a set of predefined permissions ( like how discord has permissions ) and each new role created or user could have any combination of these permissions ( EX: read , or write only or ability to access a specific endpoint or to edit a file etc)

please guide me on how you went with the approach of doing dynamic roles and also how did you store them in the db? thank you!